summaryrefslogtreecommitdiff
path: root/palemoon/debian/changelog
blob: abdc6c53ff1a0f2c84c97dc0482f058423a93c1c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
palemoon (28.6.0-1+devuan) manual; urgency=low

  * From releasenotes.shtml: This is a major development and bugfix update.
    - Implemented String.prototype.trimStart and String.prototype.trimEnd (ES2019)
    - Implemented Array.prototype.flat and Array.prototype.flatMap (ES2019)
    - Implemented Symbol.prototype.description (ES2019)
    - Added support for gzip-compressed SVG-in-Opentype fonts.
    - Updated official branding.
    - Updated reader view components.
    - Added a preference to control the setting of cookies through meta header information (non-standard feature) and disabled by default.
    - Updated ES6 Atomics and re-enabled them.
    - Updated internationalization code to support updated time zones and the Japanese Reiwa era.
    - Updated NSS to a custom version to have better encryption strength for master passwords.
    - IMPORTANT: To use this strong encryption and re-key the password database with it, change your master password (can be changed to the same one you already had if desired, but you have to go through the change password process). Depending on your computer and the number of stored passwords, this encryption update may take some time, so please be patient. Please be aware that once re-keyed, the password store will be locked to the new encryption and will no longer be accessible with the master password in older versions of Pale Moon.
    - Restored "Release notes" in the help menu.
    - Rearchitectured the application/extension update code.
    - Added several performance improvements to DOM and the parser.
    - Improved JavaScript garbage collection of dead compartments.
    - Fixed a performance issue with painting on some pages.
    - Improved performance of some websites with complex event regions.
    - Fixed a potential performance issue in display lists on some pages.
    - Fixed a rendering bottleneck for the use of XRender when using a remote session.
    - Fixed graphical artifacts/flickering when using XRender on Intel or Intel-hybrid GPU setups.
    - Added a DiD fix for potential future issues with inlining array natives.
    - Fixed a potential UAF situation in the HTML5 parser (DiD)
    - Fixed an origin-clean bypass issue.
    - Changed the way permissions for predefined sites are loaded.
    - Reverted the 28.5.1 change to treat *.jnlp files as executables (CVE-2019-11696) after input from an Oracle representative. Java Web Start files are not executable and should not be treated any different than regular documents handled by external applications.
    - Removed SecurityUI telemetry.
    - Removed some other dead telemetry code.
    - Removed geo-specific selection of default search engines.
    - Deprecated the use of FUEL.
    - Removed the unused code for "enhanced tiles" in the new tab page.
    - Removed preference to brute-force e10s to on.
    - Removed Unboxed Array code.
    - Removed Unboxed Object code.
    - Fixed failure to print if a page contains a 0-sized <canvas> element.
    - Fixed an issue with tab-modal dialogs being presented in the wrong order.
    - Fixed an issue with the tab bar remaining collapsed in customize mode if normally hidden.
    - Fixed an issue with Sync when choosing to overwrite data with synced data.
    - Fixed an issue with tab previews on the taskbar.
    - Fixed an issue with IntersectionObserver viewport accuracy.
    - Fixed Scroll bar orientation on Mac OS X.
    - Fixed an issue with anchor/link targets not re-using a named target.
    - Fixed a build issue with Gnu-CC on PPC64.
    - Fixed browser.link.open_newwindow functionality.

 -- B Stack <bgstack15@gmail.com>  Tue,  2 Jul 2019 11:31:51 -0400

palemoon (28.5.2-1+devuan) manual; urgency=low

  * From releasenotes.shtml: This is a security and bugfix update.
    - Restored a global getBoolPref() function shortcut for extension compatibility with old extensions.
    - If you are currently using this global function, please change it to Services.prefs.getBoolPref()
    - Fixed an issue with the UI when the address bar was removed from the navigation toolbar.
    - Fixed an issue with scripting of the Help menu.
    - Fixed a crash resulting from non-standard manipulation of XML stylesheets by extensions.
    - Fixed Aero Peek (taskbar previews) on Windows.
    - Fixed browser.link.open_newwindow functionality.
    - Removed the default handler for webcal since the site doesn't seem to be properly maintained.
    - Prevented some ways smart places queries could be abused for social engineering attacks.
    - Ported an upstream Skia fix.
    - Improved the origin-clean algorithm for canvases.
    - Improved the efficiency of certain types of memory allocations in the JavaScript compiler.
    - Changed the way the application update checker code is hooked up so it will not require a user to go idle before being activated.
    - This solves the primary issue with application updates not notifying users as promptly as they should; more improvements are slated for the next major release.
    - Applicable security issues fixed: CVE-2019-7317, CVE-2019-11701, CVE-2019-11698, CVE-2019-9817 (DiD), CVE-2019-11700, CVE-2019-11696, CVE-2019-11693, and several potentially exploitable crashes and memory safety hazards that do not have a CVE number assigned to them.
    - Fixed issues with image/texture allocation incorrectly being marked as insecure.

 -- B Stack <bgstack15@gmail.com>  Tue,  4 Jun 2019 22:22:10 -0400

palemoon (28.5.0-1+devuan) manual; urgency=low

  * From releasenotes.shtml: This is a major development and bugfix update.
    - Redesigned the about box.
    - Added "Check for updates" menu entries to the AppMenu and classic menu (since the About box redesign no longer has application update in it).
    - Restored the app.update.url.override pref for AUS testing/override.
    - Added "Loop" control to html5 video.
    - Fixed a crash with frames (e.g. when using Tile Tabs).
    - Fixed an issue with textarea placeholders (spec compliance).
    - Removed the Windows Maintenance Service one last time.
    - Improved http basic auth DoS heuristics.
    - Fixed an issue on big-endian machines (e.g. PPC64/linux).
    - Removed e10s code from widgets.
    - Preffed the various http "Accept" headers and aligned with the Fetch spec (except for image requests).
    - Aligned URLSearchParams with the spec.
    - Updated several site-specific UA overrides.
    - Fixed "Yet Another special case of a flex frame being the absolute containing block"
    - Fixed border drawing when the tab bar is hidden.
    - Pref-controlled and disabled the use of unboxed plain objects in JavaScript's JIT compiler.
    - Improved handling of interrupted connections through proxies and pseudo-VPN extensions.
    - Removed contextual identity.
    - Updated the 7zip installer stub to a much more recent code version.
    - Fixed an issue with applying percentages to 0 in layout sizes.
    - Fixed an issue with calculating linear sums in JS JITed code.
    - Added default value feature to get*Pref() preference functions.
    - Fixed an issue that would occasionally overwrite the new tab custom URL.
    - Updated the SQLite library to 3.27.2
    - Killed the crashreporter toolkit files and exception handler hooks.
    - Fixed an issue with a missing border on the tab bar when on the bottom.
    - Fixed a crash with badly-formatted SVG files.
    - Showed the robots to the exit after squatting in the browser for decades.
    - JavaScript: Implemented TC39 toString() revision proposal.
    - Rearchitectured the JavaScript front-end parser to provide better and more logical parsing of JS code.
    - Removed support code and leftovers for unsupported SunOS, AIX, BEOS, HPUX and OS/2 operating systems.
    - Fixed a scrollbar arrow issue on OS X.
    - Removed all Firefox Accounts code.
    - Made the CSS parser more robust and aligned url() behavior with the CSS3 spec in case of bad input.
    - Fixed an issue with blocklist updates not actually dynamically applying due to a wrong URL.
    - Updated the embedded emoji font to the TweMoji v11.4.0 equivalent.
    - Fixed an issue with async/deferred scripts preventing page loads from completing.

  * From github: Import new 28.5.0 major development and security release:
    - Added several site-specific overrides for web compatibility.
    - Aligned http "Accept:" headers with the fetch spec, with the exception of image requests to continue allowing content negotiation.
    - Fixed potential denial-of-service issues involving FTP (loading of subresources and spamming errors).
    - Aligned URLSearchParams with the spec.
    - Fixed a corner case for flexbox layouts, improving rendering of some websites.
    - Fixed Widevine compatibility issues.
    - Fixed security issues: CVE-2019-9791, CVE-2019-9792, CVE-2019-9796, CVE-2019-9801, CVE-2019-9793, CVE-2019-9794, CVE-2019-9808, CVE-2019-9790, CVE-2019-9797, CVE-2019-9804 and ZDI-CAN-8368.
    - Fixed several memory safety hazards and crashes.
    - Windows binaries are now code-signed again (including the setup program for the installer).

 -- B Stack <bgstack15@gmail.com>  Tue, 30 Apr 2019 08:36:47 -0500

palemoon (28.4.1-1devuan) manual; urgency=low

  * New 28.4.1 security and bugfix release:
    - Fixed hover state arrows on some controls.
    - Fixed potential denial-of-service issues involving FTP (loading of subresources and spamming errors).
    - Disabled Microsoft Family Safety (Win 8.1) by default. This prevents security issues as a result of a local MitM setup.
    - Added several site-specific overrides (Firefox Send and polyfill.io) to work around website UA-sniffing isues.
    - Implemented the origin-clean algorithm for controlling access to image resources.
    - Cleaned up the helper application service code.
    - Ported applicable security fixes from Mozilla (CVE-2019-9791, CVE-2019-9792, CVE-2019-9796, CVE-2019-9801, CVE-2019-9793, CVE-2019-9794, CVE-2019-9808 and ZDI-CAN-8368).
    - Implemented several defense-in-depth measures (for CVE-2019-9790, CVE-2019-9797, CVE-2019-9804, and a JavaScript issue).
    - Fixed several memory safety hazards and crashes.
    - Binaries are now code-signed again (including the setup program for the installer).

 -- B Stack <bgstack15@gmail.com>  Fri, 29 Mar 2019 14:42:19 -0500

palemoon (28.4.0-1devuan) manual; urgency=low

  * Import new 28.4.0 major development and security release:
    - Removed more telemetry code from the platform.
    - Fixed implementation of the IntersectionObserver API to avoid crashes, and enabled it by default.
    - Switched to the new ffmpeg decode API to avoid dropping of frames.
    - Fixed a buffering issue in the WebP decoder that caused intermittent browser crashes.
    - Improved resource-efficiency for internal stopwatch timers.
    - Improved handling of incorrectly-encoded CTTS in media files, resolving some playback issues of videos.
    - Improved the Cycle Collector and Garbage Collector.
    - Improved fullscreen navigation bar handling in the situation it has focus when switching to full screen.
    - Aligned instanceof with the final ES6 spec.
    - Improved Windows DIB (bitmap) clipboard data handling.
    - Exposed TLS 1.3 cipher suite prefs in about:config in case people want to disable them individually.
    - Allowed empty string on the location.search setter to clear URL query parameters from JS.
    - Added a potential fix for external links not opening in the current window/tab (untested).
    - Enabled C++11 thread-safe statics in the entire application.
    - Updated several preferences for integration with the new add-ons site.
  * Security fixes:
    - Fixed a potential use-after-free in IndexedDB code. (DiD)
    - Improved proxy handling to avoid localhost getting proxied. (CVE-2018-18506)
    - Ported upstream Skia fixes. (CVE-2018-18356, CVE-2018-18335)
    - Fixed an additional Skia issue. (CVE-2019-5785)
    - Fixed several potentially-exploitable memory safety hazards and crashes. (DiD)
    - Fixed a possible data race when performing compacting GC.

 -- B Stack <bgstack15@gmail.com>  Wed, 20 Feb 2019 16:42:43 -0500

palemoon (28.3.1-1devuan) manual; urgency=medium

  * Initial build for devuan

 -- B Stack <bgstack15@gmail.com>  Wed, 23 Jan 2019 13:11:18 -0500

palemoon (28.3.0+repack-1) obs; urgency=medium

  * Import new 28.3.0 major development and bugfix release:
    - Added AV1 support for MP4/MSE videos. Please note that this is a reference
      library implementation and the upstream decoding lib currently has poor
      performance for higher resolutions (720p+). This is disabled by default;
      use the about:config preference media.av1.enabled to enable this codec.
    - Changed the API used for video playback with FFmpeg 58+. This should solve
      performance issues (dropped frames) with VP8 and VP9.
    - Redesigned the main toolbar icons as SVG images to make them HiDPI
      compliant.
    - Fixed the sync notification (infobar) icon.
    - Fixed a potential cycle collector resource leak.
    - Added icons and controls to tabs to indicate if sound is playing the tab
      and if so, allowing the user to mute it with a click. This is a native
      implementation of the API in use in Basilisk and performs the same
      function as the "expose noisy tabs" extension, although the extension may
      still be preferred by some for e.g. skinning capabilities. The feature may
      be disabled with browser.tabs.showAudioPlayingIcon.
    - Removed support for VR hardware.
    - Fixed out-of-bounds sizes for CSS calculation strings.
    - Removed the DirectShow component since it is no longer necessary.
    - Removed Firefox Accounts integration, phase 1:
      - Changed the Sync client to the one from Tycho.
      - Made Sync optional at build time.
    - Stopped trying to cater to addons.mozilla.org since they no longer offer
        anything useful to Pale Moon after the Great XUL Extension Purge™.
    - Added an option to process favicons for optimal sized display and removing
      animations. Enable this with browser.chrome.favicons.process
    - Fixed an incorrect preference reference in feed reader.
    - Fixed an issue with lazy frame construction on display:contents elements.
      This should solve e.g. the use of mathjax in comments on stackoverflow.
    - Media code improvements and cleanup (ongoing).
    - Updated the DropBox useragent override to solve login issues.
    - Fixed potential crashes due to shutdown observers in VTT and font
      lists. DiD
    - Enabled some mistakingly-disabled optimizations in the JS JIT compiler.
    - Fixed several potential crashes in JS. DiD
    - Fixed several potential crashes in WebCrypto. DiD
    - Fixed a potential crash in JS Range Analysis. DiD
    - Fixed a potential crash in the layout engine due to combo boxes. DiD
    - Fixed a potential shutdown crash in non-standard environments related to
      2D Canvas. DiD
    - Fixed a potential overflow in the PNG writer. DiD
    - Fixed a potential double-free in the MAR signing utility. DiD
    - Fixed an issue where URLs could be extracted cross-origin (CVE-2018-18494).
    - Updated NSPR to v4.20.
    - Updated NSS to 3.41, providing (among other things) full compatibility with
      the final version of TLS 1.3 on websites.
    - Updated location.protocol to the latest spec.
    - Updated Intersection Observers to the latest spec and enabled them
      by default.
    - Updated the SQLite lib to 3.26.0.
    - Fixed errors about the login manager's recipeManager not being
      available (yet).
    - Switched status bar download arrow to SVG.
    - Fixed a crash in IntersectionObservers.
    - Fixed initialization of the Search service from browser code to avoid
      synchronous init.
    - Added logging of performance warnings to devtools consoles.
    - Fixed favicons in taskbar tab preview listings.
    - Blocked Comodo IS dll < version 6.3 to prevent startup crashes.
    - Fixed issues in the HTML form submit observer module.
    - Limited resolving depth of CSS variables to a sane maximum (fixes
      cras.sh issue).
    - Removed Mozilla's proprietary constructor on WebAudio's AudioContext,
      aligning it with the standard specification.
    - Exposed the previously hidden preference in about:config for page thumbnail
      generation (some people prefer this for local privacy).
    - Aligned Element.ScrollIntoView with the DOM specification. This improves,
      among other things, compatibility with the React framework.

  * Totally revise debian/copyright to conform to Debian Policy.
  * Install copies of MPL-1.1 and MPL-2 licenses in docs.
  * Change versioning to "+repack" now that the OBS supports it.

 -- Steven Pusser <stevep@mxlinux.org>  Tue, 15 Jan 2019 12:11:18 -0800

palemoon (28.2.2~repack-1~mx17+1) mx; urgency=medium

  * New upstream minor security and stablility release.

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 05 Dec 2018 12:23:18 -0800

palemoon (28.2.1~repack-1~mx17+1) mx; urgency=medium

  * New release; addresses issues with history and bookmarks.

 -- Steven Pusser <stevep@mxlinux.org>  Sun, 18 Nov 2018 11:54:00 -0800

palemoon (28.2.0~repack-1) obs; urgency=medium

  * Import new 28.2.0 major development and bugfix release:
    - Fixed a major performance issue with web workers.
    - Fixed a rare crash on local networks with HTTP basic auth and unsupported
      cipher suites.
    - Fixed a performance/timer issue when leaving the browser idle.
    - Fixed an issue causing an empty dialog when launching executable files
      from the browser.
    - Fixed an issue preventing making entries to disallow sites to store data
      for off-line use.
    - Removed code to prevent extensions with binary components.
    - Fixed an issue with common dialogs being sized incorrectly for their
      content.
    - Fixed an issue with event handling on the tab bar that would cause
      frustrating behavior when trying to open/close tabs in rapid succession.
    - Switched default behavior for scrolling when a context or pop-up menu is
      open to allow scrolling, like in v27. This also affects scrolling in very
      long menus, e.g. bookmarks.
    - Added experimental Asynchronous Panning and Zooming (APZ) for desktop use.
    - Re-enabled the use and parsing of ICC v4 color profiles.
    - Removed telemetry code from the caching subsystem.
    - Improved full-screen detection for suppressing status messages.
    - Made all arguments passed to Init*Event() optional except the first for
      parity with other browsers.
    - Cleaned up some internal installer code.
    - Fixed making caret width configurable when dealing with CJK characters
      (regression).
    - Fixed drawing of table borders consistently when zooming a page
      (regression).
    - Exposed the "Save download location per site" pref in about:config.
    - Improved media handling (ongoing).
    - Added experimental support for AV1 in WebM videos (disabled by default).
    - Note: this is for WebM only for now, so MP4 and MSE AV1 streams (e.g.
      YouTube) will not (yet) play.
    - Removed the (defunct and incomplete) in-browser translation code.
    - Fixed an issue with CSS Grid layouts unnecessarily shrinking element
      blocks.
    - Fixed notification settings menu entry (opes about:permissions with
      relevant data now).
    - Fixed the launching of an undesirable background content process for
      capturing page thumbnails.
    - Fixed a focus issue in the bookmark properties dialog.
    - Changed the setting for reporting CSS errors to the console to false by
      default, to prevent unnecessary performance loss for recording this data.
    - Added control mechanisms for Opportunistic Encryption (both for
      alternative services and upgrade-insecure-requests) in preferences,
      and disabled this by default due to potential security and privacy issues
      with this transitional technology.
    - Updated the default reported Firefox version in Firefox Compatibility Mode
      to prevent "too old Firefox" complaints on websites.
    - Updated libnestegg, ffvpx, reader view components and several other
      modules from upstream.
    - Implemented security fixes for CVE-2018-12381, CVE-2017-7797, a better fix
      for CVE-2018-12386 (DiD), CVE-2018-12401 (DiD), CVE-2018-12398,
      CVE-2018-12392, several Skia bugs, and several crashes and memory safety
      hazards that do not have a CVE number.

  * debian/mozconfig: enable AV1 decoding.

 -- Steven Pusser <stevep@mxlinux.org>  Mon, 12 Nov 2018 09:38:43 -0800

palemoon (28.1.0~repack-1) obs; urgency=medium

  * New upstream release:

    - Updated NSS to 3.38, removed TLS 1.3 draft version check since it's
      considered final.
    - Reinstated RC4 as an optional encryption cypher for non-standard
      environments (e.g. old routing/peripheral networked hardware on LAN). RC4
      and 3DES are marked weak and disabled, and will never be used in the first
      handshake with a site, only as last-ditch fallback when specifically
      enabled (meaning they won't show up on ssllabs' test, for example).
    - Removed Telemetry accumulation calls, automatic timers and stopwatches.
      This removes a very noticeable performance sink for all operations on all
      platforms.
    - Fixed many occurrences of discouraged types of memory access for primarily
      GCC 8 compatibility. This improves overall code security as a
      defense-in-depth measure.
    - Re-implemented the pref-controlled custom background color for
      standalone images.
    - Updated session history handling for internal pages. about:logopage is no
      longer stored in history, and you can choose to store the QuickDial page in
      history by setting the pref browser.newtabpage.add_to_session_history to
      true. This is disabled by default (meaning you can't use the "Back" button
      to go back to the QuickDial page) as a defense-in-depth security measure.
    - Added ui.menu.allow_content_scroll to control whether content can be
      scrolled if a context menu is open.
    - Fixed incorrect code removal in ipc.
    - Removed support for TLS session caches in TLSServerSocket.
    - Added support for local-ref as SVG xlink:href values.
    - Changed the find bar to be a browser-global toolbar again (like in Pale
      Moon 27) instead of per-tab. For people who prefer search terms to be
      saved on a per-tab basis (like with the per-tab findbar previously), this
      is possible by setting findbar.termPerTab to true. This resolves a number
      of issues, including styling with lightweight themes not applying to the
      find bar, and status pop-ups overlapping the find bar.
    - Ported all relevant security fixes from Mozilla's Gecko/62 release,
      including CVE-2018-12377 and CVE-2018-12379.
    - Restored part of the searchplugin API that was removed by Mozilla, so
      extensions can provide and save edits to installed search engines.
    - Improved the speed of restoring browsing sessions upon startup.
    - Fixed the "Restore previous session" button sometimes being missing from
      about:home, while a restorable session would be present.
    - Fixed tab previews in the Windows taskbar (if enabled).
    - Fixed the setting of the new tab page being "My Home Page" so it'll pick up
      subsequent changes to the home page URL automatically.
    - Removed the Firefox Accounts migrator from Sync.
    - Fixed an issue with the enabled state of number controls if appearances
      changed.
    - Stopped building ffvpx on 32-bit platforms (except Windows) to use the
      (faster) system-installed lib instead.
    - Re-added a horizontal scroll action option for mouse wheel. (regression)
    - Fixed handling of content language if the locale is changed.
    - Fixed document navigation with the F6 key.
    - Fixed toolbar styling in toolkit themes.
    - Fixed viewing the source of a selection.

  * Now has full support for gcc-8, so stop forcing gcc-7 build on Buster and 
    recent Ubuntus where gcc-8 is default.

 -- Steven Pusser <stevep@mxlinux.org>  Mon, 17 Sep 2018 19:05:20 -0700

palemoon (28.0.1~repack-1~mx17+1) mx; urgency=medium

  * New upstream release.
    - Backed out a Mozilla upstream patch causing issues with IPC and texture
      allocation for the compositor.
    - Backed out a Mozilla upstream patch causing issues with Javascript memory
      buffer allocation.
  * debian/mozconfig: add an option to tune for the number of parallel build
    threads.

 -- Steven Pusser <stevep@mxlinux.org>  Fri, 31 Aug 2018 17:26:11 -0700

palemoon (28.0.0~repack-3) obs; urgency=medium

  * Add libavcodec-ffmpeg56 and libavcodec-ffmpeg-extra56 D for Ubuntu 16.04.

 -- Steven Pusser <stevep@mxlinux.org>  Sat, 18 Aug 2018 11:19:45 -0700

palemoon (28.0.0~repack-2) obs; urgency=medium

  * Add alternative libavcodec-extraXX dependencies.

 -- Steven Pusser <stevep@mxlinux.org>  Thu, 16 Aug 2018 18:15:14 -0700

palemoon (28.0.0~repack-1) obs; urgency=medium

  * Import final 28.0.0 release.

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 15 Aug 2018 11:55:12 -0700

palemoon (28.0.0~rc1~repack-2) obs; urgency=medium

  * Depend on a version of libavcodec instead of ffmpeg.
  * For Buster, build on gcc-7, just to be safe. Restore the lsb-release distro
    detection setup to rules to enable this, and add the new build-depends. This
    should no longer be required in 28.1.0.

 -- Steven Pusser <stevep@mxlinux.org>  Tue, 14 Aug 2018 12:13:31 -0700

palemoon (28.0.0~rc1~repack-1) obs; urgency=medium

  * New upstream release.

 -- Steven Pusser <stevep@mxlinux.org>  Sun, 12 Aug 2018 13:28:16 -0700

palemoon (28.0.0~b5~repack-1) obs; urgency=medium

  * Import new beta release.

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 01 Aug 2018 14:41:07 -0700

palemoon (28.0~b4~repack-1mx17+1) mx; urgency=medium

  * New beta release.
  * Build with native gcc releases, remove lsb-release as build-depend since it's
    no longer needed to check for the distrelease.
  * Add libgconf2-dev and libx11-xcb-dev to build-depends.
  * Add command to dh_auto_clean override to remove pyc files somehow generated
    by dh_clean.
  * Add new options to debian/mozconfig.

 -- Steven Pusser <stevep@mxlinux.org>  Sat, 28 Jul 2018 15:06:18 -0700

palemoon (27.9.4~repack-1~mx17+1) mx; urgency=medium

  * Import new upstream 27.9.4 release.
    - Updated the useragent for addons.mozilla.org to work around their "Only
      with Firefox" discrimination preventing users from downloading themes, old
      versions of extensions, and other files with Pale Moon.
    - Restricted web access to the moz-icon:// scheme that could potentially be
      abused to infringe the user's privacy.
    - Prevented various location-based threats. DiD
    - Fixed a potential vulnerability with plugins being redirected to different
      origins (CVE-2018-12364).
    - Improved the security check for launching executable files 
      (by association) on Windows from the browser. For users who have (most 
      likely accidentally) granted a system-wide waiver for opening these kinds
      of files without being prompted, this permission has been reset.
    - Fixed an issue with invalid qcms transforms (CVE-2018-12366).
    - Fixed a buffer overflow using the computed size of canvas elements
      (CVE-2018-12359).
    - Fixed a use-after-free when using focus() (CVE-2018-12360).
    - Added some sanity checks on nsMozIconURI. DiD
    - Fixed an issue in the case the preferences file in the profile would not be
      writable (e.g. temporary permission issues due to backup, virus scanning or
      similar external processes).

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 11 Jul 2018 13:59:46 -0700

palemoon (27.9.3~repack-1~mx17+1) mx; urgency=medium

  * New upstream security update:
  
    - Changes/fixes:
      - (CVE-2017-0381) Ported a patch from libopus upstream. Note, contrary to 
        that report, the libopus maintainers state they don't believe remote 
        code execution was possible, so this was not a critical patch.
      - Fixed an issue with task counting in JS GC.
      - Fixed a use-after-free in DOMProxyHandler::EnsureExpandoObject (thanks 
        to Berk Cem Göksel for reporting).

 -- Steven Pusser <stevep@mxlinux.org>  Tue, 12 Jun 2018 11:12:06 -0700

palemoon (27.9.2~repack-1~mx17+1) mx; urgency=medium

  * New upstream security and stability update:

    - Changes/fixes:
      - We changed the language strings for softblocked items so people will cry
        less when we do our job.
      - (CVE-2018-5174) Prevent potential SmartScreen bypass on Windows 10.
      - (CVE-2018-5173) Fixed an issue in the Downloads panel improperly 
        rendering some Unicode characters, allowing for the file name to be 
        spoofed. This could be used to obscure the file extension of potentially 
        executable files from user view in the panel.
      - (CVE-2018-5177) Fixed a vulnerability in the XSLT component leading to a
        buffer overflow and crash if it occurs.
      - (CVE-2018-5159) Fixed an integer overflow vulnerability in the Skia 
        library resulting in possible out-of-bounds writes.
      - (CVE-2018-5154) Fixed a use-after-free vulnerability while enumerating
        attributes during SVG animations with clip paths.
      - (CVE-2018-5178) Fixed a buffer overflow during UTF8 to Unicode string 
        conversion within JavaScript with extremely large amounts of data. This 
        vulnerability requires the use of a malicious or vulnerable extension in
        order to occur.
      - Fixed several stability issues (crashes) and memory safety hazards.

 -- Steven Pusser <stevep@mxlinux.org>  Mon, 21 May 2018 11:43:14 -0700

palemoon (27.9.1~repack-1) obs; urgency=medium

  * New upstream maintenance update:
    - Removed the unused/incomplete places protocol handler.
    - Worked around an issue with MSE media without a Track ID. This should help
      with the playability of some live streams.
    - Ported across jemalloc improvements from UXP.
    - Ported across cairo mutex improvements from UXP.
    - Added support for FFmpeg 4.0/libavcodec 58.
    - Added a fix for Windows 10's "isAlpha()" not being what one would expect
      in v1803.

 -- Steven Pusser <stevep@mxlinux.org>  Mon, 07 May 2018 15:07:33 -0700

palemoon (27.9.0~repack-1~mx17+1) mx; urgency=medium

  * New upstream release:
    - Fixed a number of spec compliance issues in our media subsystem.
    - Added a trailing slash to referrers when policy is set to fix some web
      compatibility issues.
    - Fixed the property order in Object.getOwnPropertyNames(string) and others
      for web compatibility.
    - Updated RegExp(RegExp object, flags) to the ES6 standard specification.
    - Changed the embedded font from the no longer free EmojiOne to the
      open-licensed Twemoji (with additional fixes). This also further extends
      unicode support to Unicode 10 emoji(s). Please note that as a result, color
      emoji(s) will look different than before.
    - Adjusted some things in our memory allocator code to provide, among other
      things, better allocation alignment on Windows.
    - Made the attempt to migrate people from the old sync server domain name to
      the current one more aggressive. We will be retiring the old
      pmsync.palemoon.net Sync server address shortly to remove the need for us
      to maintain a security certificate for it; this preference migration should
      automatically put everyone on the correct server address when upgrading.
    - Made reading of the sessionstore synchronous, to speed up startup and
      prevent the homepage from being loaded when restoring a session.
    - Added a fix to switch to the correct window/tab when a web notification
      is clicked.
    - Changed the placeholder text to not include "Search" when all search
      functions from the address bar are disabled.
    - Enabled the use of Skia for canvas on Linux and OSX.
    - Worked around a potential cause for some non-standard bitmapped fonts
      ending up with incorrect line heights (I'm looking at you, Noto fonts!).
    - Added a workaround for incorrectly-encoded JPEG-XR images with planar
      alpha. Ultimately, the jxrlib reference implementation should be fixed to
      encode according to spec.
    - Aligned XCTO:nosniff allowed script MIME types with the updated spec.
    - Improved the logic for storing vector images in the surface cache.
    - Fixed character set handling for XMLHttpRequests.

 -- Steven Pusser <stevep@mxlinux.org>  Tue, 17 Apr 2018 10:14:19 -0700

palemoon (27.8.3~repack-1) obs; urgency=medium

  * New upstream bugfix update:
    - This is a small update to solve a pervasive crash in responsive web
      layouts.

 -- Steven Pusser <stevep@mxlinux.org>  Thu, 29 Mar 2018 12:48:14 -0700

palemoon (27.8.2~repack-1) obs; urgency=medium

  * New upstream security update:
    - Privacy fix: prevented update checks for the default theme.
    - Added a user-agent override for Dropbox to improve compatibility with
      their service.
    - Fixed an issue with mouseover handling related to (CVE-2018-5103). DiD
    - Disabled the Mac OSX Nano allocator. DiD
    - Fixed (CVE-2018-5129) OOB Write.
    - Updated the lz4 library to 1.8.0 to solve potential issues. DiD
    - Fixed (CVE-2018-5137) Path traversal on chrome:// URLs
    - Fixed several memory safety an synchronicity hazards.

 -- Steven Pusser <stevep@mxlinux.org>  Thu, 22 Mar 2018 10:31:24 -0700

palemoon (27.8.1~repack-1) obs; urgency=medium

  * New upstream release:
    - Backed out the NSPR/NSS update from 27.8.0 for causing crashes, general
      operational instability and handshake issues.
    - Disabled TLS 1.3 draft support by default, because with the NSS backout we
      only support an older draft right now that is no longer current and may
      cause connectivity issues. You can manually re-enable it at your own risk
      in about:config by setting security.tls.version.max to 4.

 -- Steven Pusser <stevep@mxlinux.org>  Tue, 06 Mar 2018 12:04:10 -0800

palemoon (27.8.0~repack-1) obs; urgency=medium

  * New upstream release:
    - Added support for emojis on Windows systems that have relatively poor
      support for them with standard font sets by including our own font
      (EmojiOne based for now).
    - Added a setting in preferences to select the use of tab previews with
      Ctrl+Tab.
    - Added Eyedropper menu entry to the AppMenu.
    - Added a preference to control whether the text cursor (caret) should be
      thicker when dealing with CJK characters or not (default = yes).
    - Added URL fix-ups for schemes (mis-typed "ttp://" etc.).
    - Added support for ES6 "Symbol species".
    - Updated our TLS 1.3 support to the latest (probably final) draft.
    - Fixed gap inconsistency in the tabstrip.
    - Fixed a number of browser crashes.
    - Fixed a crash with the exponentiation operator "**"
    - Set the performance timer granularity to 1 ms.
    - Updated the kiss-fft library to our forked 1.4.0 version.
    - Disabled a potentially problematic optimization on Win 8+ with high
      contrast themes in use.
    - Removed the notification bar when in full screen to prevent unwanted
      visible screen elements.
    - Removed unmaintained and insecure WebRTC code - building with WebRTC
      enabled is no longer an option.
    - Removed redundant checks for "Vista or later" since that is all we support.
    - Added display of the http status to raw request displays.
    - Added a workaround for cloned videos not retaining their muted state.
    - Added a temporary workaround to avoid crashes on trackless media.
    - Removed some superfluous ellipses from menu labels.
    - Fixed undesired shrinking of line heights as a result of setting minimum
      font size in preferences.
    - Fixed some issues with setting the new tab preference (regression).

  * Add support for building on Debian Buster on gcc-4.9.

 -- Steven Pusser <stevep@mxlinux.org>  Fri, 02 Mar 2018 17:38:20 -0800

palemoon (27.7.2~repack-1~mx17+1) mx; urgency=medium

  * New upstream release:
    - Changed the X-Content-Type-Options: nosniff behavior to only check
      "success" class server responses, for web compatibility reasons.
    - Changed the perfomance timer resolution once more to a granularity of
      1 ms, after evaluating more potential ways of abusing Spectre. This
      takes the most cautious approach possible lacking more information
      (because apparently NDAs have been signed over this between mainstream
      players), follows Safari's lead, and should make it not just infeasible
      but downright impossible to use these timers for nefarious purposes in
      this context.
    - Improved the debug-only startup cache wrapper to prevent a rare crash.
    - Fixed a crash in the XML parser.
    - Added a check for integer overflow in AesTask::DoCrypto()
      (CVE-2018-5122) DiD
    - Fixed a potential race condition in the browser cache.
    - Fixed a crash in HTML media elements (CVE-2018-5102)
    - Fixed a crash in XHR using workers.
    - Fixed a crash with some uncommon FTP operations.
    - Fixed a potential race condition in the JAR library.

 -- Steven Pusser <stevep@mxlinux.org>  Thu, 01 Feb 2018 13:48:26 -0800

palemoon (27.7.1~repack-1~mx17+1) mx; urgency=medium

  * New upstream release:
    - Added support for Array.prototype[@@unscopables].
      Unfortunately, the addition of Javascript's ES6 Unscopables in 27.7.0 was
      incomplete, which caused a number of websites (e.g. Chase on-line banking,
      some Russian government sites) to display blank or not complete loading
      after updating to that version of the browser. This update should fix the
      problem by adding the missing part of the feature.
    - Fixed an issue with the default theme causing tab borders to be drawn too
      thick at higher settings for visual element scaling (125/150%) in Windows.

 -- Steven Pusser <stevep@mxlinux.org>  Thu, 18 Jan 2018 10:03:02 -0800

palemoon (27.7.0~repack-1~mx17+1) mx; urgency=medium

  * New upstream release:
    - Reorganized access to preferences (moved to the Tools menu on Linux, and
      renamed from "Options" to "Preferences" on Windows).
    - Renamed "Restart with add-ons disabled" to "Restart in Safe Mode" to
      better reflect what it does.
    - Worked around an issue with some improperly-encoded PNG files not decoding
      after our libpng update.
    - Fixed an issue on Mac builds not properly populating the application menu.
    - Added "My home page" as an option for new tabs.
    - Added an option to disable the 4th and 5th mouse buttons (Windows).
    - (mouse.button4.enabled and mouse.button5.enabled, respectively)
    - Improved the resetting of non-default profiles.
    - Fixed an issue with details/summary having the incorrect height if floated,
      breaking layouts.
    - Implemented support for flex/columnset contents inside buttons to align
      its behavior with other browsers.
    - (this should fix layout issues with Twitch's new web interface)
    - Made several more improvements to the details/summary tags to align them
      with the current spec and fix several bugs.
    - Fixed an issue where CSS clone operations would draw a border.
    - Changed the way fractional border widths are rounded to provide more
      natural behavior.
    - Fixed an issue where number inputs would incorrectly be flagged as
      read-only.
    - Added assets for tile display in the Windows start panel.
    - Finished sync infra swapover by adding a one-time pref migration for
      server used.
    - Improved WebAudio API: Return the connected audio node from
      AudioNode.connect()
    - Added support for a default playback start position in media elements.
    - Fixed an assert in cubeb-alsa code (Linux).
    - Added support for media cue-change events (e.g. subtitles).
    - Updated SQLite to 3.21.0.
    - Fixed a crash when trying to use the platform embedded.
    - Fixed devtools (gcli) screenshots on vertical-text pages.
    - Fixed devtools copy as cURL for POST requests.
    - Improved the HTML editor component (several bugfixes).
    - Added support for ES7's exponentiation a ** b operator.
    - Fixed an issue with arrow functions incorrectly creating an arguments
      binding.
    - Added Javascript's ES6 unscopables.
    Security/privacy fixes:
    - Disabled automatic filling in of log-in details by default to prevent
      potential risks of credentials being abused (e.g. for tracking) or stolen.
    - Added a preference (in the category security) to easily enable or disable
      automatic filling in of log-in data.
    - Removed the sending of referrers when opening a link in a new
      private window.
    - Added an option to disable the page visibility Web API
      (dom.visibilityAPI.enabled), allowing users to prevent pages from knowing
      whether they are being actively displayed to the user or not.
    - Removed the "ask every time" policy for cookies. For granular control,
      please use any of the excellent available extensions to regulate cookie use
      on a per-site or per-url basis.
    - Added support for X-Content-Type-Options: nosniff (for scripts).
    - Changed the resolution of performance timers to a level where any future
      potential abuse for hardware-timing attacks becomes impractical.

 -- Steven Pusser <stevep@mxlinux.org>  Tue, 16 Jan 2018 12:02:55 -0800

palemoon (27.6.2~repack-1) obs; urgency=medium

  * Minor security and bugfix release:
    - Implemented the concept of so-called "cookie-averse document objects",
      which is a security&privacy measure that blocks certain web content from
      setting cookies. This mitigates cookie-injection, which might help against
      "hidden" cookie tracking.
    - Mitigated some domain name spoofing through IDN by using dotless-i and
      dotless-j with accents. (CVE-2017-7832)
    - Pale Moon will display these kinds of spoofed domains in punycode now in
      the actual address bar. Please note that the identity panel will always be
      able to help you on secure sites when IDNs are in use to notice potential
      spoofing, as opposed to relying on detection algorithms in the URL itself.
      As such, some other issues like CVE-2017-7833 are already mitigated by us.
    - Fixed an issue with mixed-content blocking. (CVE-2017-7835)
    - Added an extra check for the correct signature data type on certificates.
    - Added missing sanitization in exporting bookmarks to HTML. (CVE-2017-7840)
    - Fixed several crashes and memory safety hazards.
  * Bump debhelper build-depend to >= 9.

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 29 Nov 2017 12:31:22 -0800

palemoon (27.6.1~repack-1mx15+1) mx; urgency=medium

  * Minor bugfix release:
    - Fixed a regression with new windows (opening two windows from the
      command-line or file association, focus issues on new windows, not
      loading the home page in a new window, etc.)
    - Aligned XHR with the currect spec to allow withCredentials.
    - Fixed an input element focus issue within handlers.
    - Fixed the processing of all-padding HTTP/2 frames to prevent rare
      HTTP/2 hangups.
    - Updated CitiBank override to work around their login issues.
    - Updated Netflix override to a community-supplied one that seems to
      satisfy their arbitrary restrictions better.

 -- Steven Pusser <stevep@mxlinux.org>  Mon, 20 Nov 2017 15:52:34 -0800

palemoon (27.6.0~repack-1) obs; urgency=medium

  * Major development update; changes can be viewed at
    https://github.com/MoonchildProductions/Pale-Moon/releases.
  * debian/mozconfig: add vectorization flags for distreleases that support it.
    Those that don't get the mozconfig without the flags.

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 08 Nov 2017 11:10:24 -0800

palemoon (27.5.1~repack-1) obs; urgency=medium

  * Minor bugfix release:
    - Changed the default Windows 10 styling when no accent color is applied to
      black-on-white.
    - Changed the theme styling on Windows 10 when the system window frame is
      used (menu bar enabled) to use the window manager background directly,
      preventing visual lag updating the window color when it changes.
    - Updated user agent overrides for DropBox, YouTube and Yahoo to work around
      user agent sniffing issues.
    - Fixed a crash in the media subsystem.
    - Fixed a regression where video playback hardware acceleration was disabled
      incorrectly on some systems.

 -- Steven Pusser <stevep@mxlinux.org>  Fri, 13 Oct 2017 15:15:01 -0700

palemoon (27.5.0~repack-1mx15+1) mx; urgency=medium

  * New upstream major release, changes can be viewed at
    https://github.com/MoonchildProductions/Pale-Moon/releases.
  * Disable updater and installer in mozconfig.

 -- Steven Pusser <stevep@mxlinux.org>  Tue, 26 Sep 2017 18:32:35 -0700

palemoon (27.4.2~repack-1) obs; urgency=medium

  * New upstream bugfix release:
    - Fixed a number of crashes.
    - Enabled the opt-in debugging feature to log SSL keys to a file in all
      builds.
    - Added a fix for TLS 1.3 handshakes causing a browser hangup.
    - Handshakes should be considerably faster now and no longer stall in the
      wrong circumstances.
    - Updated NSPR to 4.15.
    - Updated NSS to 3.31.1.
    - Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783)
    - Fixed an issue where (cross domain) iframes could break
      scope (CVE-2017-7787)
    - Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
    - Fixed an issue with elliptic curve addition in mixed Jacobian-affine
      coordinates (CVE-2017-7781)
    - Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
    - Fixed a UAF in WebSockets (CVE-2017-7800)
    - Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD
      (accessibility is disabled)

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 23 Aug 2017 15:50:07 -0700

palemoon (27.4.1~repack-1mx15+1) mx; urgency=medium

  * New upstream bugfix release:
    - Fixed an issue where MSE media playback would not use hardware
      acceleration when it could, causing choppy playback and high CPU usage.
    - Fixed ES6 iterator chains to be spec-compliant.
    - Fixed ES6 vector append calls and some related memory leaks.
    - Added a workaround to reduce the chances of a rare crash occurring.

 -- Steven Pusser <stevep@mxlinux.org>  Fri, 04 Aug 2017 18:22:19 -0700

palemoon (27.4.0~repack-2) obs; urgency=medium

  * debian/mozconfig: drop deprecated "--disable-gstreamer" option.

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 12 Jul 2017 13:25:27 -0700

palemoon (27.4.0~repack-1) obs; urgency=medium

  * New upstream release--the github 27.4.0 was not a real release:
    Changes/fixes:
    - Completely re-worked the Media Source Extensions code to make it spec
      compliant, and asynchronous as per specification for MSE with MP4. This
      should fix playback problems on YouTube, Twitch, Vimeo and other sites
      that previously had some issues. A massive thank you to Travis for his
      tireless work on making this happen!
      Please note that MSE+WebM (disabled by default) is not using this new code
      yet (planned for the next release), and as such there is a temporary set
      of things to keep in mind if you don't use default settings:
        If you have previously enabled MSE+WebM, this setting will be reset when
        you update to avoid conflicting settings with the updated MSE code.
        We've added an extra setting in Options to disable the updated MSE code
        (asynchronous use) in case you need to use WebM or are otherwise having
        issues with the updated code (please let us know in that case).
        Once again, the MSE+WebM and Asynchronous MSE use are currently mutually
        exclusive. You can have one or the other, not both, until we sort out
        the code for WebM. To enable MSE+WebM you will first have to disable
        Asynchronouse MSE in settings (otherwise the WebM setting will be greyed
        out and disabled).
    - Added a control in options/preferences for HSTS and HPKP usage.
    - Changed HTML bookmark exports to write CRLF line endings to the file on
      Windows.
    - Leveraged multi-core rendering for libVPX (VP8/VP9 WebM decoding).
    - Fixed some issues accessing DeviantArt (useragent-sniffing).
    - Aligned CSS text-align with the spec.
    - Added a recovery module for browser initialization issues (e.g. when using
      a wrong language pack).
    - Fixed spurious console errors for XHR requests with certain http response
      codes.
    - Enabled v-sync aligned refresh for a smoother scrolling experience.
    - Removed support for CSS XP-theme media queries.
    - Improved console error reporting.
    - Fixed resetting toolbars and controls from the safe mode dialog.
    - Fixed bookmark recovery option from the safe mode dialog.
    - Fixed innerText getters for display:none elements.
    - Fixed a GL buffer crash that might occur with certain combinations of
      drivers and hardware.
    - Added some more details to about:support.
    - Fixed a potential crash when the last audio device is removed during
      playback.
    - Fixed a crash on about:support when windowless browsers are created.
    - Updated <select> elements to blank if the actively set value doesn't match
      any of the options.
    - Updated the interpretation of 2-digit years in date formats to match other
      browsers:
     - 0-49 = 2000-2049, 50-99 = 1950-1999.
    - Added "q" units to CSS (quarter of a millimeter).
    - Added .origin property to blobs.
    - Fixed several minor layout issues.
    - Fixed disabled HTML elements not producing the proper JS events.
    - Implemented web content handler blacklist according to the spec, allowing
      more than feeds to be registered.
    - Fixed a spec compliance issue with execCommand() on HTML elements.
    - Fixed a problem with table borders being drawn uneven or being omitted
      when zooming the page.
    - Added devtools "filter URLs" option in the network panel.
    - Added visual sorting options to the Network inspector.
    - Added importing of login data from Chrome profiles on Windows (Chrome
      has to be closed first).
    - Added importing of tags from bookmark export files (HTML format).
    - Updated usage of SourceMap headers with the updated spec (SourceMap
      header, keeping X-SourceMap as a fallback).
    - Fixed several cases of wrongly-used negations in JS modules.
    - Added the auxclick mouse event.
    - Added a control to not autoplay video unless it is in view
     (media.block-play-until-visible).
    - Updated the Graphite font library to 1.3.10.
    - Updated how image and media elements respond to window size changes
      (responsive design).
    - Added parsing and use of rotation meta data in video.
    - Fixed several crashes in a number of modules.
    - Fixed performance regression for scaling large vector images (e.g. MSIE
      Chalkboard test) \o/
    - Fixed some issues with notification icons.
    - Fixed some internal errors with live bookmarks.
    - Updated SQLite to 3.19.3.
    - Fixed several reported issues with devtools (cli-cookies, cli help,
      copying cURL, inspecting SVGs, element size calculations, etc.)
    - Fixed an issue where a server response was allowed to override add-ons'
      specified version ranges even for add-ons that have strict compatibility
      (e.g. themes, language packs).

    Security fixes:

    - Removed preloading of HPKP hosts and enabled HPKP header enforcement.
    - Added support for TLS 1.3, the up-next secure connection protocol.
    - Fixed an issue with TLS 1.3 not supporting renegotiation by design.
    - Relaxed some restrictions for CSP to temporarily work around web
      compatibility issues with the CSP-3 deprecated `child-src` directive.
    - Updated NSS to 3.28.5.1-PM to address some security issues.
    - Updated the installer selfextractor module to address unsafe loading of
      libraries.
    - Changed the way certain resources are included to reduce effectiveness of
      some common fingerprinting techniques. (e.g. browserleaks.org)
    - Fixed a regression in the display of security information in the page info
      dialog for insecure content.
    - Fixed two potential issues with allocating memory for video. DiD
    - Fixed a potential issue with the network prediction algorithm. DiD
    - Restricted the use of Aspirational scripts in IDNs to prevent domain
      spoofing, in anticipation of the UAX#31 update making this official.
    - Prevented a Mac font specific issue that could be abused for domain
      spoofing (CVE-2017-7763)
    - Fixed several potentially exploitable crashes. (CVE-2017-7751)
      (CVE-2017-7757) and some that do not have a CVE designation.

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 12 Jul 2017 10:54:26 -0700

palemoon (27.3.0~repack-1) obs; urgency=medium

  * New upstream release.

 -- Steven Pusser <stevep@mxlinux.org>  Sat, 29 Apr 2017 19:50:41 -0700

palemoon (27.2.1~repack-1) obs; urgency=medium

  * New upstream release:

    - Changes/Fixes:
      - Fixed an issue with planar alpha handling (transparency) when drawing
        JXR images.
      - Fixed a crash related to a change JavaScript array handling introduced
        in 27.2.0. This became apparent with the pentadactyl extension, but
        could happen in other situations as well.
      - Fixed a crash when opening ridiculously large images with HQ scaling
        enabled (default). Pale Moon will now only apply HQ scaling for images
        within reasonable limits (64 Mpix or smaller). Images larger than that
        may not display properly when zooming in, or may not display at all,
        even scaled down (e.g. >256 Mpix large) and show a "broken image"
        placeholder instead; please use dedicated image viewer applications for
        those kinds of images; it is outside the scope of a web browser to
        handle such large images.
      - Changed the way URL hashes are handled, and will no longer %-decode
        anchor hash identifiers by default. Note that this is against RFC 3986,
        which states that any part of the URL scheme that isn't data should be
        decoded. This is required for web compatibility because several sites
        use hash links to pass actual data to web applications (Please don't do
        this! Hashes are part of the URL address, should only consist of "safe"
        characters, and aren't suited to pass arbitrary data) and the most
        common browsers no longer follow the RFC in that respect. If you want
        RFC compliance, switch dom.url.getters_decode_hash to true.
      - Restored 2 RSA Camellia cipher suites that were missing:
        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA.
      - Fixed an issue with custom toolbars getting deleted during upgrade
        from 27.0/27.1 to 27.2

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 29 Mar 2017 12:27:06 -0700

palemoon (27.2.0~repack-1mx15+1) mx; urgency=medium

  * New upstream release:

    - Changes/Fixes:
      - Updated the ICU lib to 58.2 to fix a number of issues.
      - Added proper control for the user for offline storage for web
        applications.
      - Added a check to prevent auto-filled URLs from copying the auto-filled
        selection to clipboard/primary.
      - Added the feature to pass a URL to open in a private window from the
        command-line.
      - Improved the display of the downloads indicator on the button in
        bright-text situations.
      - DOM storage now honors the "3rd party cookie" setting in that it will
        not allow 3rd party data to be stored if 3rd party cookies are
        disallowed.
      - Allowed toolbar button badges to be properly styled.
      - Updated the hunspell spellchecking library to 1.6.0 to fix a number
        of issues.
      - Fixed desktop notifications being off-screen if fired in rapid
        succession.
      - Added Element.insertAdjacentElement and Element.insertAdjacentText
        DOM functions.
      - Added support for JPEG-XR images. This makes Pale Moon have the broadest
        support for image formats of all web browsers. (enabled by default; you
        can disable this with media.jxr.enabled).
      - Completely removed the use of GStreamer on Linux.
      - Added support for Element.innerText.
      - Custom toolbars should now properly remember their state.
      - Fixed some more playback issues with MP4/MSE videos. Please be aware
        that we are still working on further improving MSE video handling.
      - Changed media processing to reduce dangerous processing asynchronicity.
        This should also make media elements and playback more responsive.
      - Fixed a useragent string regression always displaying the minor Goanna
        version as .0
      - Updated NSPR to 4.13.1.
      - Updated NSS to 3.28.3-RTM.
      - Fixed unrestricted icon sizes in PMkit buttons.
      - Fixed unresponsive buttons on support page when not building
        the updater.
      - Fixed the use of "View image" and "Save image as" on extremely
        large images.
      - Changed the way "View Image" and "Save image as" work on canvas
        elements.
      - Made checking for dangerously large resolution PNG images smarter. It
        will now accept larger "strip"-aspect ratio images while reducing
        unsupported large image resolutions. This will e.g. fix Gmail's "emoji"
        window that uses a ridiculously long but very narrow single image to
        store all the emoticon pictures.
      - Converted several hard-coded URLs to preferences.
      - Updated the google.com override so it would not cripple services based
        on UA sniffing.
      - Added Inner and Outer Window ID administration.
      - Fixed the add-on discovery pane detection.
      - Added support for canvas ellipse.
      - Improved drawing of certain MathML elements at problematic zoom levels.
      - No longer building gamepad support.
      - Updated Harfbuzz font shaper to 1.4.3 to fix a number of issues.
      - Fixed a number of crashes (layout, plugins, uncommon navigation,
        bad URLs).
      - Aligned SVG specular filters with the spec.

    - Security/privacy changes:
      - Added support for 256-bit AES-GCM encryption.
      - Added support for ChaCha20-Poly1305 encryption.
      - Removed support for Camellia-GCM since nobody seems interested in it.
        (Camellia in 128/256-bit CBC block mode is still fully supported).
      - Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to Crypto utils.
      - Improved status handling of secure sites to be less sensitive to
        "insecure" items that are local.
      - Fixed print preview hijacking. (CVE-2017-5421)
      - Fixed a potentially exploitable crash in OnStartRequest. (CVE-2017-5416)
      - Fixed potential cross-origin content-stealing through a timing
        attack. (CVE-2017-5407)
      - Fixed a denial-of-service problem with view-source. (CVE-2017-5422)
      - Fixed crash in directional controls. (CVE-2017-5413)
      - Fixed a perceived problem with chrome manifests. (CVE-2017-5427)
      - Fixed the use of an uninitialized value. (CVE-2017-5405)
      - Fixed a buffer overflow. (CVE-2017-5412)
      - Fixed a UAF situation. (CVE-2017-5403)
      - Fixed a potential spoofing issue with the address bar. (CVE-2017-5417)
      - Fixed a potential issue in libvpx. (CVE-2017-5402) DiD
      - Fixed a potential issue with HTTP auth. (CVE-2017-5418)
      - Fixed several memory safety hazards and potentially exploitable crashes.

 -- Steven Pusser <stevep@mxlinux.org>  Sun, 19 Mar 2017 12:49:24 -0700

palemoon (27.1.2~repack-1mx15+1) mx; urgency=medium

  * New upstream release:
    -adds workaround for potential deadlocks happening in media elements.

 -- Steven Pusser <stevep@mxlinux.org>  Fri, 03 Mar 2017 13:45:54 -0800

palemoon (27.1.1~repack-1mx15+1) mx; urgency=medium

  * New upstream release:
    - Implemented a fix in media handling to prevent crashes with concurrent
      videos and/or rapidly starting/stopping video playback in the browser.
    - Fixed the way the Adobe Flash plugin is detected to prevent confusion with
      other plugins that identify themselves as "Flash" (e.g. VLC).
    - Windows: Solved stability issues caused by the release build process,
      resulting in unexpected behavior (e.g. hangups).

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 22 Feb 2017 13:52:07 -0800

palemoon (27.1.0~repack-1) obs; urgency=medium

  * New major upstream release:
    - Reworked the media back-end completely (thanks Travis!) to use FFmpeg
      (including support for FFmpeg v3 and MP3 playback) and our own MP4 parser,
      and no longer relying on gstreamer on Linux, as well as adding some
      improvements on Windows for media parsing and playing.
    - On Linux, Apple .mov files of the correct type will also be played through
      FFmpeg now, for those rare occasions where they are still in use,
      considering there is no Quicktime plug-in available on that operating
      system.
    - Restored the classic about:config styling.
    - Added a fallback to US-ASCII if the autoconfig UTF-8 conversion fails.
    - Improved cross-compartment wrapper handling when managing a large number
      of tabs (fixes a performance regression with v27).
    - Changed the way audio and video synchronization is calculated to account
      for (slow) device latency, preventing things from getting out of sync on,
      e.g. BlueTooth-connected speakers.
    - Changed the way scripts are handled when they are stopped from the
      "unresponsive script" dialog, to prevent browser lockup. We will now stop
      all scripts in the affected compartment in one go.
    - Fixed several errors in the devtools.
    - Fixed a nasty crash caused by cross-origin referrers.
    - Added HTML5-spec clipboard handling for content (cut&copy only -- paste
      is not allowed for security reasons).
    - Made multiple changes to the toolkit jetpack modules to cater to PMkit
      extensions. This should make running SDK-based extensions as PMkit
      extensions fairly simple for extension developers.
    - Fixed a css layout issue: make max-width affect contributions to intrinsic
      min-width.
    - Implemented several updates to the permissions manager. Among others,
      improved the permissions manager (about:permissions) with a more complete
      set of permissions for pages.
    - Removed otherwise unused Metro browser platform/widget code.
    - Removed support for non-standard/deprecated let blocks and expressions.
    - Made the use of let as a keyword versionless and ES6 compliant.
    - Made the privacy category in preferences a tabbed setup to better fit the
      current options.
    - Fixed a regression preventing certain MP4 video files from playing.
    - Fixed a regression where seeking in media files would halt playback/jump
      to the end of the stream.
    - Fixed a crash caused by certain downloadable fonts with DirectWrite
      in use.
     -Improved downloads-button indicator legibility on some combinations of
      Windows versions and system theme colors.
    - Changed the Facebook user-agent override to be our native one, based on
      reports from users that it is (finally) working acceptably.
    - Fixed site-specific useragents being ignored if a global override is
      defined.

    Security/privacy changes:

    - Changed CORS handling to allow data: sources, assuming they are
      same-origin. This should fix the infamous "Facebook endless reload" issue
      and may make some other sites that assume this particular (unspecified)
      CORS behavior happy with Pale Moon.
    - Reinstated the network.stricttransportsecurity.enabled preference so
      people who choose privacy over HSTS can do so again.
    - Added, In HSTS "off" state, prevention of HSTS site status from being
      written to disk.
    - Updated the IDN blacklist with more extended unicode characters that
      "look very similar to" normal ASCII characters, to prevent spoofing of
      well-known domains. If blacklisted characters are found, the IDN domain
      name will be displayed in its punycode form. (CVE-2017-5383 and similar)
    - Fixed an exploitable crash when using MP4 video. (CVE-2017-5396)
    - Fixed an exploitable crash in XSL parsing. (CVE-2017-5376)
    - Fixed a potential security issue when exporting certificates with
      specially-crafted credentials. (CVE-2017-5381)
    - Fixed a potential use-after-free situation in frame selection.
      (CVE-2017-5380) DiD
    - Fixed a leak of window details through the Ion compiler in certain
      situations.
    - Fixed the potential for an exploitable crash involving Javascript GC. DiD
    - Fixed a potential overflow situation in (non-released) WebRTC code. DiD
    - Fixed a potentially unsafe situation in websockets. DiD
    - Fixed several memory and other safety hazards (BMO bugs 1318766, 1325877,
      1328834 DiD, 1288561 DiD, 1322420 DiD, 1293327 DiD, 1322315, 1325344,
      1285960).
  * debian/mozconfig:
    - add "ac_add_options --disable-necko-wifi" and "--disable-gstreamer"..
    - drop "ac_add_options --enable-jemalloc-lib".
  * debian/control:
    - remove all gstreamer dependencies and build-deps.
    - ffmepg | libav-tools added to Depends.

 -- Steven Pusser <stevep@mxlinux.org>  Thu, 09 Feb 2017 13:53:41 -0800

palemoon (27.0.3~repack-3) stable; urgency=medium

  * debian rules and control: add some code and alternative depends to force
    building on gcc-4.9 on releases that default to gcc 5 or 6.

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 25 Jan 2017 10:19:25 -0800

palemoon (27.0.3~repack-2) stable; urgency=medium

  * debian/mozconfig: reenable the dev tools.
  * debian/rules: don't install duplicate /usr/lib/palemoon/palemoon-bin file.

 -- Steven Pusser <stevep@mxlinux.org>  Thu, 29 Dec 2016 12:05:29 -0800

palemoon (27.0.3~repack-1) stable; urgency=medium

  * New upstream bugfix and security release.

 -- Steven Pusser <stevep@mxlinux.org>  Mon, 19 Dec 2016 20:05:49 -0800

palemoon (27.0.2~repack-1mx15+1) mx; urgency=medium

  * New upstream bugfix release.
    -fixed crash in SVG renderer related to CVE-2016-9079 (defense in depth)
    -Firefox compatibility mode is default in useragent string.
  * Drop debian/menu, deprecated with the use of desktop file.
  * Drop use of debian/palemoon.xpm, link takes care of that in pixmaps.
  * Install much better palemoon.desktop from source instead of from debian
    folder.

 -- Steven Pusser <stevep@mxlinux.org>  Fri, 02 Dec 2016 17:39:30 -0800

palemoon (27.0.1~repack-3mx15+1) mx; urgency=medium

  * Revise debian/mozconfig to remove deprecated configs and add sse2
    optimization.
  * debian/rules: add override to help shlibdeps find libs on some releases.

 -- Steven Pusser <stevep@mxlinux.org>  Wed, 30 Nov 2016 16:42:03 -0800

palemoon (27.0.1~repack-2mx15+1) mx; urgency=medium

  * debian/mozconfig: drop the "1.0" from the gstreamer flag.
  * debian/install: don't install anything from /integration; part of default
    install now.
  * debian/compat: bump compat level to 9.

 -- Steven Pusser <stevep@mxlinux.org>  Sun, 27 Nov 2016 13:50:54 -0800

palemoon (27.0.1~repack-1) mx; urgency=medium

  * New upstream release.

 -- Steven Pusser <stevep@mxlinux.org>  Sat, 26 Nov 2016 10:09:18 -0800

palemoon (26.5.0~repack-1mx150+1) mx; urgency=medium

  * Repackaged for MX 15.

 -- Mike Elstad (v3g4n) <maintainer@mepiscommunity.org>  Thu, 29 Sep 2016 18:22:24 -0500

palemoon (26.5.0~repack-1) obs; urgency=medium

  * New upstream release:
    Fixes/Changes:
    - Implemented a breaking CSP (content security policy) spec change; when a
      page with CSP is loaded over http, Pale Moon now interprets CSP directives
      to also include https versions of the hosts listed in CSP if a scheme
      (http/https) isn't explicitly listed. This breaks with CSP 1.0 which is
      more restrictive and doesn't allow this cross-protocol access, but is in
      line with CSP 2 where this is allowed.
    - Fixed an issue with the XML parser where it would sometimes end up in an
      unknown state and throw an error (e.g. when specific networking errors
      would occur).
    - Improved the performance of canvas poisoning by explicitly
      parallelizing it.

    Security fixes:
    - Fixed a potentially exploitable crash related to text writing direction.
      (CVE-2016-5280)
    - Made checking for invalid PNG files more strict. Pale Moon will now reject
      more PNG files that have corrupted/invalid data that could otherwise lead
      to potential security issues.
    - Changed the way paletted image frames are allocated so the space is
      cleared before it's used. DiD
    - Fixed a crash in nsNodeUtils::CloneAndAdopt() due to a typo. DiD
    - Fixed several memory safety errors.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Wed, 28 Sep 2016 11:44:18 -0700

palemoon (26.4.1~repack-1) obs; urgency=medium

  * New upstream release:
    Changes/fixes:
    - Fixed a crash in the XSS filter.
    - Slightly changed the address bar shading on secure sites to be more subtle
      and easily-blended.
    - Fixed the occurrence of "null" titles in bookmarks dragged from special
     folders.
    - Fixed an error initializing the browser due to trying to restore
      scratchpad data from a stored session when having switched from a version
      with devtools to a version without devtools, and the previous version had
      scratchpad data saved.
    - Fixed some minor issues in scratchpad and gcli devtools.

    Security fixes:
    - Updated the HSTS preload list to a much more updated source list, and
      performing our own checks on validity from now on to have the list be as
      accurate as possible.
    - Disabled Triple-DES cipher suites by default (mitigating SWEET32).

  * Add a "~repack" to the versioning because we have to repack the source.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Fri, 23 Sep 2016 17:07:58 -0700

palemoon (26.4.0-1mx150+1) mx; urgency=medium

  * New upstream release:
    - Removed Google Search as a bundled search provider. If desired, you can
      manually install it (or other search engines) after the update by following
      the steps in the Manage Search Engines topic.
    - Fixed the URL API to allow "stringification" of the object per
      specification. This should make a number of websites happy.
    - Added the ES6 string .includes() function in addition to the pre-existing
      .contains() function for  checking if a string contains another string.
      The .contains() function is retained for compatibility with web and
      extension scripts that adhere to the ES6 pre-release specification up to
      and including RC3.
    - Fixed the calculation of standalone SVG embeds width and height, which
      should solve some reported issues with html5 graphs being displayed
      incorrectly.
    - Linux: improved memory allocation.
    - Updated the graphite font library to 1.3.9.
    - Added a blocking rule for F-Secure's 64-bit deepguard library to prevent
      crashes.
    - Updated the SQLite library to 3.13.0.
    - Download= properties of links are now honored from the context menu
      "Save" option.
    - Fixed a crash in the XSS filter.
    - Fixed a crash in the DOM error module.
    - Worked around a crash on Linux
    - Linux: Improved optimization and GCC6 compatibility (Note: compiling with
      GCC 6 is still not recommended and it may or may not work, depending on
      your environment)

    Security fixes:
    - (CVE-2016-5251)Potential URL spoofing in the address bar.
    - (CVE-2016-0718) Context-dependent crash in expat 2.1.0.
    - (CVE-2016-5266) Outgoing dataTransfer items are not properly filtered.
    - Fixed potentially exploitable crash in the array splice implementation.
    - Fixed potentially exploitable crash caused by badly formatted ICO files.
    - (CVE-2016-5254) Heap-use-after-free in nsXULPopupManager::KeyDown

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Fri, 19 Aug 2016 13:08:56 -0700

palemoon (26.3.3-1mx150+1) mx; urgency=medium

  * New upstream release:
    - Fixed an additional issue found that could cause menu text on Windows 10
      to be white-on-white (and therefore unreadable).
    - Fixed an issue with news feeds not showing up when embedded in web pages.
    - Removed recently-added parsing of the child-src content security policy
      directive, after some web compatibility issues with it came to light, as
      well as it becoming clear that the CSP spec will see it removed in favor
      of the previous directive for embedded content. This should fix some
      intermittent issues people have reported on e.g. the main google.com page
      and phpMyAdmin installations.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Fri, 01 Jul 2016 12:50:32 -0700

palemoon (26.3.2-1mx150+1) mx; urgency=medium

  * New upstream release:
    - 26.3.2 (2016-06-27) - Windows only
      This release only has pertinent changes for Windows. Other operating
      systems do not need this update.
      Changes/fixes:

     -Fixed a rare issue where the browser would not initialize properly
      (missing bookmarks and menu entries) if certain Windows registry values
      were missing (Windows 8 only).
     -Fixed an issue on Windows 10 where the classic menu bar would become
      unreadable (white on white).
     -Portable only: Switched to non-compressed binaries to prevent issues with
      antivirus packages, to prevent issues with browser run-time operation, and
      to simplify code signing.

    - 26.3.1 (2016-06-25)
      Changes/fixes:

     -Fixed an issue with new tab button theming on dark toolbars.
     -Reverted the useragent identification of Firefox compatibility mode to
      38.9 to avoid  WOFF2 font issues for sites that don't use proper font
      deployment as recommended by the W3C.
     -Added a site-specific override for Google fonts to make sure it always
      works even if not using Firefox compatibility mode. (workaround pending
      for a proper solution on Google's side)
     -Adjusted the "dark color" detection routine to switch text to white at
      higher relative contrast levels. This will more closely match Windows 10's
      "flip point" for different accent colors and is within the recommended
      range determined by the WCAG.

    - 26.3.0 (2016-06-21)
      Changes/fixes:

     -Added detection for dark system themes on Windows 10 and re-worked Windows
      10 specific theming to better integrate into the OS and provide more
      clarity.
     -HTML5 media controls have been reworked to a horizontal volume control on
      all media, including HTML5 audio that was previously without an
      element-control for volume.
     -Default HTML5 media volume preference added as media.default_volume --
      fractional, default 1.0 (=100%).
     -String.prototype.match() and .replace() are now fully spec compliant.
     -NSPR and NSS now correctly no longer enforce IA32 architecture
      compatibility, getting the advantage of SSE2 like the rest of the code.
     -Worked around crashes in the XSS filter when navigating back in history
      due to document fragments.
     -Instated a hard minimum of 10,000 places entries regardless of free disk
      space and total memory to prevent undesired expiration of history. That is
      around 16MB for an average entry size, which should be sane enough even on
      low-memory machines.
     -Fixed a typo in networking code introduced in 26.2.2 that would cause
      issues on some sites due to adding extra forward slashes to the URL.

    - Security fixes:

     -Fixed a number of memory safety hazards and potentially exploitable
      crashes.
     -Fixed CVE-2016-2821 Use-after-free in the mozilla::dom::Element class
     -Fixed netaddr deserialization for AF_UNSPEC and AF_LOCAL.
     -Fixed a memory overrun error in the VP8 encoder. DiD
     -Fixed non-threadsafe re-use of pixman images to prevent potential race
      conditions. DiD
     -Fixed CVE-2016-2825 Partial Same Origin Policy violation

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Mon, 27 Jun 2016 10:51:22 -0700

palemoon (26.2.2-1mx150+1) mx; urgency=medium

  * New upstream bugfix and security release:

    - CSS classes prefixed with "--" no longer stop parsing of the selectors.
    - Several crash fixes.
    - Made GC suppression more aggressive to prevent issues when actually out
      of memory.
    - Fixed a memory safety hazard in jpeg decoding.
    - Fixed a potentially exploitable crash when using bi-directional text.
    - Updated NSS to 3.19.4.2-PM, fixing CVE-2016-1938 among other things.
  * Add Suggested packages gstreamer1.0-libav, gstreamer1.0-plugins-good,
    gstreamer1.0-plugins-bad, gstreamer1.0-plugins-ugly to provide the most
    comprehensive HTML 5 media playback.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Tue, 10 May 2016 18:26:54 -0700

palemoon (26.2.1-2) mx; urgency=medium

  * Switch to gstreamer 1.0 build-deps.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Sat, 09 Apr 2016 10:58:13 -0700

palemoon (26.2.1-1) mx; urgency=medium

  * New upstream release.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Fri, 08 Apr 2016 20:50:19 -0700

palemoon (26.1.1-1mx150+1) mx; urgency=medium

  * Repackaged for MX 15.

 -- Mike Purtell <mandbx@sbcglobal.net>  Sat, 27 Feb 2016 19:41:04 -0800

palemoon (26.1.0-1mx150+1) mx; urgency=medium

  * New security, web compatibility, and bugfix release.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Wed, 17 Feb 2016 10:18:12 -0800

palemoon (26.0.3-1mx150+1) mx; urgency=medium

  * Repackaged for MX 15.

 -- Mike Purtell <mandbx@sbcglobal.net>  Sat, 06 Feb 2016 18:02:47 -0800

palemoon (26.0.2-1mx150+1) mx; urgency=medium

  * Repackaged for MX 15.

 -- Mike Purtell <mandbx@sbcglobal.net>  Thu, 04 Feb 2016 19:31:53 -0800

palemoon (26.0.2-1mcr120+1) mepis; urgency=medium

  * New security and bugfix release.
  * Install extensions directly from /integration folder in source, remove
    debian/distribution.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Thu, 04 Feb 2016 14:02:54 -0800

palemoon (26.0.0-1mcr120+2) mepis; urgency=medium

  * Install addons from debian/distribution, taken from Pale Moon tarball.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Mon, 01 Feb 2016 08:08:54 -0800

palemoon (26.0.0-1mcr120+1) mepis; urgency=medium

  * Add libpulse-dev to build-depends to prevent FTBFS.
  * Add Suggests: gstreamer0.10-ffmpeg to debian/control file.
  * Add Mozilla Public License 2.0 to debian/copyright.
  * debian/mozconfig: use -O2 optimization and remove the jmalloc option,
    and match what results from about:buildconfig from the official binary.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Tue, 26 Jan 2016 15:43:43 -0800

palemoon (25.8.1-2mcr120+1) mepis; urgency=medium

  * Drop mozconfig.patch; use debian/mozconfig instead.
  * Refresh debian/copyright.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Sun, 06 Dec 2015 13:08:26 -0800

palemoon (25.8.1-1mcr120+1) mepis; urgency=medium

  * A small update to address two important issues:
    - Fix for a crash that could occur at random since the update to 25.8.0.
    - Fix for CSP (Content Security Policy) to be more lenient towards the
      incorrect passing of full URLs with all sorts of parameters in the CSP
      header, leading to misinterpretation of the header and incorrectly
      blocking the loading of content.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Mon, 30 Nov 2015 10:20:18 -0800

palemoon (25.8.0-1mcr120+1) mepis; urgency=medium

  * New bugfix and maintenance release:
     Fixes/changes:
     - Updated LibVPX to 1.4.x to be able to play more kinds of VP9-encoded
       videos.
     - Updated the JPEG decoder library to 1.4.0.
     - Fixed and cleaned up XPCOM timer thread code to avoid intermittent
       issues with events not firing (especially after stand-by).
     - Updated overrides to work around issues with Facebook and Netflix.
     - Fixed an issue where too-old system-supplied NSPR and/or NSS libraries
       would be accepted for use.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Wed, 18 Nov 2015 11:52:32 -0800

palemoon (25.7.3-1mcr120+1) mepis; urgency=medium

  * New bugfix and maintenance release:
    - usability update needed due to the fact that Mozilla has shut down their key
      exchange (J-PAKE) server along with the old Sync servers.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Wed, 14 Oct 2015 19:40:39 -0700

palemoon (25.7.2-1mcr120+1) mepis; urgency=medium

  * New bugfix and maintenance release:
    - Fixed a critical hang caused by recursive reloads that might happen in
      iframes if its hash changed.
    - Fixed a critical hang caused by lazy-loading of stylesheets through a
      specific web programming technique as advocated by Google's PageSpeed.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Mon, 05 Oct 2015 15:19:18 -0700

palemoon (25.7.1-1mcr120+1) mepis; urgency=medium

  * New bugfix and maintenance release:

     Fixes/changes:

    - Code cleanup: Removed the majority of remaining telemetry code (including
      the data reporting back-end and health report) to prevent a few issues
      with partially removed code in earlier versions.
    - Fixed a crash due to handling of bogus URIs passed to CSS style filters
      (e.g. whatsapp's web interface).
    - Permitted spec-breaking syntax in Regex character classes, allowing
      ranges that would be permitted per the grammar rules in the spec but not
      necessarily following the syntax rules. This impacts a good number of
      (also higher profile) sites that use invalid ranges in regular
      expressions (e.g. Cisco's networking academy site, Yahoo Fantasy
      Football).
    - Fixed a crash due to the newly introduced WASAPI handling of audio
      channel mapping that doesn't like actual surround hardware setups (e.g.
      playing a video with quadraphonic audio on a 4-speaker setup).
    - Fixed an issue where site-specific dictionary selections would be written
      to content preferences without the user's action, potentially overwriting
      or clearing a previously-chosen dictionary.
    - Added support for drag and drop of local files from sources which use
      text/uri-lists. (Some Linux flavors/file managers)
    - Updated libnestegg to the most current version.
    - Fixed an issue where setting the location to an empty string could cause
      a reload loop.

      Security fixes:

    - Changed the jemalloc poison address to something that is not a NOP-slide.
      DiD
    - Fixed a memory safety hazard in ConvertDialogOptions (CVE-2015-4521)
    - Fixed a buffer overflow/crash hazard in the
      VertexBufferInterface::reserveVertexSpace function in libGLES in ANGLE
      (CVE-2015-7179)
    - Fixed an overflow/crash hazard in the XULContentSinkImpl::AddText function
      (CVE-2015-7175)
    - Fixed a stack buffer overread hazard in the ICC v4 profile parser
      (CVE-2015-4504)
    - Fixed an HTMLVideoElement Use-After-Free Remote Code Execution 0-day
      vulnerability (ZDI-CAN-3176) (CVE-2015-4509)
    - Fixed a potentially exploitable crash in nsXBLService::GetBinding
    - Fixed a memory safety hazard in nsAttrAndChildArray::GrowBy
      (CVE-2015-7174)
    - Fixed a memory safety hazard for callers of nsUnicodeToUTF8::GetMaxLength
      (CVE-2015-4522)
    - Fixed a heap buffer overflow/crash hazard caused by invalid WebM headers
      (CVE-2015-4511)

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Wed, 30 Sep 2015 12:11:14 -0700

palemoon (25.7.0-1mcr120+1) mepis; urgency=medium

  * New bugfix and maintenance release:
    - Code cleanup: Removed the (otherwise unused) visual event tracer code.
    - Code cleanup: Removed reflow performance tracing code (telemetry).
    - Fixed a key JavaScript bug where defining properties on an object would
      wipe the object.
    - This seems to be a common issue with "modern" libraries that use "define"
      instead of "change" and expecting the other properties on the object to be
      retained, resulting in "x is undefined" errors all over the place if the
      object is wiped.
    - This aligns the behavior with ES6's "Validate and apply property
      descriptor" pseudo-function.
    - Updated the SQLite library to 3.8.11.1.
    - Added support for the element.matches() Web API function.
    - Added support for BASE tag parsing in source view. Previously, when
      viewing the source of a document, clickable links would be incorrect if a
      base path was specified in the document with this tag.
    - Fixed an issue with running timers after the computer would have been put
      to sleep with the browser opened.

     Security fixes:

    - Added protection against potential bugs where our SVG mPositions is out of
      sync with the characters in the DOM. DiD
    - Fixed use-after-free vulnerability in XMLHttpRequest::Open()
      (CVE-2015-4492)
    - Fixed use-after-free vulnerability in the StyleAnimationValue class
      (CVE-2015-4488)
    - Fixed crash or memory corruption in nsTArray (CVE-2015-4489)
    - Fixed crash or memory corruption in nsTSubstring::ReplacePrep
      (CVE-2015-4487)
    - Fixed potential escalation of privileges or crash (out-of-bounds write)
      via a crafted name in MARs (x64 only) -(CVE-2015-4482)
    - Fixed an issue that would allow man-in-the-middle attackers to bypass a
      mixed-content protection mechanism via a feed: URL in a POST request.
      (CVE-2015-4483)
  * Added blurb to postinst script.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Wed, 26 Aug 2015 14:50:58 -0700

palemoon (25.6.0-1mcr120+1) mepis; urgency=medium

  * New upstream release.
  * Add debian README.7z-source to explain how to use the .7z source archive.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Fri, 31 Jul 2015 16:40:45 -0700

palemoon (25.5.0-1mx150+1) mx; urgency=medium

  * Rebuild for MX 15.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Fri, 26 Jun 2015 14:43:57 -0700

palemoon (25.5.0-1mcr120+1) mepis; urgency=medium

  * New upstream release.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Thu, 11 Jun 2015 14:53:31 -0700

palemoon (25.4.1-1mcr120+1) mepis; urgency=low

  * Bugfix release, rebuild for MEPIS 12.0.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Fri, 01 May 2015 12:47:55 -0700

palemoon (25.3.1-0mcr120+1) mepis; urgency=low

  * Rebuild for MEPIS 12.0.
  * debian/rules: compress deb packages with xz.

 -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org>  Thu, 26 Mar 2015 11:23:26 -0700

palemoon (25.3.1-0~precise1) precise; urgency=low

  * New upstream release

 -- Marián Kadaňka <marian.kadanka@openmailbox.org>  Wed, 25 Mar 2015 20:46:17 +0100

palemoon (25.3.0-0~trusty1) trusty; urgency=low

  * New upstream release

 -- Marián Kadaňka <marian.kadanka@openmailbox.org>  Sat, 14 Mar 2015 12:12:57 +0100

palemoon (25.2.1-0~trusty1) trusty; urgency=low

  * New upstream release

 -- Marián Kadaňka <marian.kadanka@openmailbox.org>  Sun, 01 Feb 2015 16:18:52 +0100

palemoon (24.5.0-0~precise1) precise; urgency=low

  * Initial packaging

 -- Marián Kadaňka <marian.kadanka@openmailbox.org>  Mon, 12 May 2014 20:42:01 +0200
bgstack15